Modify

Opened 2 years ago

Closed 2 years ago

#9901 closed defect (fixed)

Billing page is visible to anonymous users

Reported by: lguillaume@… Owned by: bobbysmith007
Priority: highest Component: TimingAndEstimationPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!

Tested using the "regular" branch (0.11) and the permission-enabled one.

To reproduce:

  • access a trac instance with timingandestimationplugin installed without logging in (or log out)
  • go to the /Billing url
  • Make some changes.
  • see feedback that tickets are updated.

I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!

Attachments (0)

Change History (6)

comment:1 Changed 2 years ago by bobbysmith007

  • Priority changed from normal to highest
  • Severity changed from normal to critical

Wow, thats not correct (I was able to reproduce this locally as well). Its not actually a dire situation because the only thing that screen shows that could be even remotely problematic is the bill dates). The Billing screen really just fills in parameters for various reports (so the permissions set on the reports is what is actually important).

I will go ahead an publish a fix asap though.

Thanks very much for pointing this out!

comment:2 Changed 2 years ago by bobbysmith007

Also, I wonder how long this has been the case. I certainly though6 that the page was requiring SOME permissions to visit.

comment:3 Changed 2 years ago by bobbysmith007

(In [11383]) T&E Bug fixes

  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:4 Changed 2 years ago by bobbysmith007

(In [11384]) T&E Bug fixes (version 1.2.7)

  • Enforce customizable permission on the billing/management page
  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:5 Changed 2 years ago by bobbysmith007

(In [11385]) T&E Bug fixes (version 1.2.7 - prev version 0.9.8)

  • Enforce customizable permission on the billing/management page

re #9901

comment:6 Changed 2 years ago by bobbysmith007

  • Resolution set to fixed
  • Status changed from new to closed

I think this should be fixed. As a note it was only the permissionless version of the plugin that was failing to correctly require authorization.

Also note that while it defaults to REPORT_VIEW permissions, you can set this in the trac.ini as follows

[timingandestimation]
#change what permission is required to view the billing/management screen
# default is REPORT_VIEW
billing_permission=TRAC_ADMIN

Please let me know if any part of this doesnt work,
Cheers,
Russ

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.